BOLO: FireBall Browser Malware

,

Checkpoint Software Technologies reported an outbreak of browser-based Malware called “FireBall“.   This malware delivers unwanted ads and popups and completely takes over your web browsers.  It was created by the Chinese advertising company, “Rafotech“.

ScreenShot262

FireBall gets installed as a bundle from other legitimate programs downloaded from the Internet.  However, it has a great deal of sophistication, including a Command and Control (C&C) architecture, malware downloaders, droppers, and sniffers, can perform remote code execution, and evades detection.  It is believed to have infected computers within 20% of all corporate networks.

  • 25.3 million infections in India (10.1%)
  • 24.1 million in Brazil (9.6%)
  • 16.1 million in Mexico (6.4%)
  • 13.1 million in Indonesia (5.2%)
  • 5.5 million In US (2.2%)

figure-1

Signs of infection include changing the browser’s Home Page and Search Engines.  Usually, the browser is changed to “Trotux”, but it can be any of the following:

  • attirerpage[.]com
  • s2s[.]rafotech[.]com
  • trotux[.]com
  • startpageing123[.]com
  • funcionapage[.]com
  • universalsearches[.]com
  • thewebanswers[.]com
  • nicesearches[.]com
  • youndoo[.]com
  • giqepofa[.]com
  • mustang-browser[.]com
  • forestbrowser[.]com
  • luckysearch123[.]com
  • ooxxsearch[.]com
  • search2000s[.]com
  • walasearch[.]com
  • hohosearch[.]com
  • yessearches[.]com
  • d3l4qa0kmel7is[.]cloudfront[.]net
  • d5ou3dytze6uf[.]cloudfront[.]net
  • d1vh0xkmncek4z[.]cloudfront[.]net
  • d26r15y2ken1t9[.]cloudfront[.]net
  • d11eq81k50lwgi[.]cloudfront[.]net
  • ddyv8sl7ewq1w[.]cloudfront[.]net
  • d3i1asoswufp5k[.]cloudfront[.]net
  • dc44qjwal3p07[.]cloudfront[.]net
  • dv2m1uumnsgtu[.]cloudfront[.]net
  • d1mxvenloqrqmu[.]cloudfront[.]net
  • dfrs12kz9qye2[.]cloudfront[.]net
  • dgkytklfjrqkb[.]cloudfront[.]net
  • dgkytklfjrqkb[.]cloudfront[.]net/main/trmz[.]exe

To fix the problem, you must first uninstall the software from the Computer.  In Windows, this is in Control Panel -> Programs.  Then you must remove any browser plugins and reset the web browsers to their default values.

Malware removal programs like Super Anti-Spyware, MalwareBytes, or Adwcleaner can be used to cleanup the infection if their malware databases have been updated.

The original article from Checkpoint Software Technologies is here.